Mandatory data retention laws have been on and off the legislative agenda for a number of years. At present, telecommunications providers are under no legal obligation to store customer records but generally do so as needed for their own business purposes. The Attorney-General’s Department reported that more than 300 000 warrantless requests for access of existing records were made in 2012–13, with the numbers showing a significant upward trend. The majority of requests are made by federal and state law enforcement agencies but local councils and other agencies with regulatory or revenue protecting functions may currently also access such data even though they are not concerned with national security or serious crime.
The Data Retention Bill proposes to standardise the types of telecommunications data that service providers must retain and the period of time for which that information must be held. It also aims to put the access regime on a more principled footing by limiting the range of agencies which can seek access and introducing new oversight arrangements. Problematically, the Bill only defines the categories of information to be stored but leaves the detail to be determined by regulation. However, the Bill does make clear that the retention regime is limited to metadata, such as subscriber information of phone and internet services including phone numbers and IP addresses; time, duration and participants of outgoing and incoming calls; location of devices; and the equivalent information relating to SMS, emails, chats and other electronic communications. It expressly excludes the contents of phone calls, SMS, emails and chats. The technical nature of many of the issues involved in data retention became apparent when the government had repeatedly bungled its attempts in August 2014 to explain to the media whether web-browsing history was part of metadata (the Bill now clarifies that it is not).
Mandatory data retention regimes raise fears of mass surveillance without suspicion. Even though metadata is not concerned with the content of one’s communications, it still reveals much highly significant information about a person’s social network and communication habits. In 2014, the European Court of Justice declared invalid the mandatory retention regime introduced by the EU Data Retention Directive of 2006 because it constituted a disproportionate intrusion into the human rights to privacy and data protection, as protected under European law. While telecommunications data can be an important investigatory tool for law enforcement, its access and use must be carefully circumscribed to ensure that legitimate privacy concerns are given appropriate weight. Against this background, it is to be welcomed that the government has agreed to refer the bill to the Parliamentary Joint Committee on Intelligence and Security for review and public enquiry. However, with the Labor Party having already declared its agreement in principle with the government’s plans for a data retention regime, it remains to be seen whether the legislative process can still be meaningfully influenced by telecommunications providers, privacy advocates and civil society.
NORMANN WITZLEB teaches law at Monash University